No ads? Contribute with BitCoins: 16hQid2ddoCwHDWN9NdSnARAfdXc2Shnoa
Nov 262016

(actually we don’t usually sit in the data centre; it’s too noisy and usually the wrong temperature for people)

There is a perception amongst people that security “gurus” who work in network security are spying on all your network traffic. Not the hackers (which is a whole other matter), but the people who run enterprise firewalls. We do, but we’re not interested in what you are doing but instead what is being done to you (and the enterprise as a whole).

Frankly nothing strikes me as more boring than spying on someone’s porn browsing – if I really need to, I’ll hunt down my own porn thank you very much! And we’re busy; you could probably double the size of every network security team in every organisation on the planet and still nobody would be sitting around twiddling their thumbs.

On the subject of porn (as an extreme example), it is not a security issue. There is an argument that browsing porn sites is putting yourself at greater risk of picking up some kind of nasty infection, but avoiding porn sites to avoid getting infected with malware is a tactic that results in your computer being infected. So the intended content isn’t a problem as far as security is concerned, but we’re interested in unintended content.

Now there are places that enforce browsing censorship – blocking anything that isn’t work-related. That role is usually dumped on the network security people because they have the tools to do the job.

Does porn browsing on the office matter? Of course it does – some people are upset by the sight of such things, and almost as important, when someone is browsing porn they are not working. But such matters are best dealt with in the office by the line manager – if someone isn’t doing their work it doesn’t matter if they are browsing porn, hitting Facebook, or snoozing under the desk. All should be dealt with appropriately by the line manager.

And centralised censorship is a rather clumsy tool – blocking Facebook is all very well if it is to prevent personal usage of the Internet, but what about the Marketing department using Facebook for publicity? Or the Customer Service department keeping an eye on Facebook for product problems that they need to look into? These can be allowed through on a case-by-case basis, but it highlights that censorship is a clumsy tool.

The word from a nameless vendor who is in this space, is that in many cases this censorship has less to do with preventing people from doing “naughty” things, and more to do with controlling bandwidth usage. And as bandwidth becomes cheaper, there is less interest in censoring Internet activities – certainly from a personal perspective I notice a decrease in the number of people who complain they cannot visit certain sites because of work’s “firewall”.

There is also the subject of TLS inspection where firewalls intercept and inspect TLS or SSL encrypted traffic between you and “out there”. Again there is a suspicion that we are for whatever reason spying on your activities. The answer to this is the same as previously – why should we bother? It is too much like hard work, and frankly most of the information that passes through a firewall is unbelievably boring.

No, TLS interception is used to do the boring task of inspecting traffic for malware, spyware, and other security threats. And with the increasing use of TLS to encrypt traffic it is becoming more and more important to do TLS interception for security reasons.

Yes there are those who would use that sort of technology to spy on your activities, but those organisations are typically nation states … and repressive ones at that. But it is extreme foolishness to blame a useful tool for the abuses that an abusive government perpetrates.  Your average enterprise just isn’t that interested in what you’re up to.

And if you still don’t believe this, there is a simple answer: Do anything private on your own private network.


Oct 222016

Yesterday lots of people found the Internet disappearing on them due to a significant DDoS attack against the DNS infrastructure of one company. Now there are all sorts of suggested fixes for this sort of problem, some of which are useful.

However it is notable that people have not mentioned one method built into DNS which could have been used more effectively. Indeed one suggestion was for the DNS to do something it already does – caching.

When you ask your ISP’s DNS servers to resolve a name such as, the answer that your ISP’s DNS server gets back contains several bits of information in addition to the answer you are interested in (the IP address to connect to). One of which is how long to cache the value for, which means that your ISP’s DNS servers can save themselves some work for as long as they are allowed to cache the answer for.

Now it is awfully convenient to set this value to something like 5 minutes because if you have a need to change the value, it is nice to have the value change as quickly as possible.

But it also increases your vulnerability to a weaknesses in the DNS infrastructure.

If you increase the time-to-live (TTL) value to something more like 24 hours, then your DNS servers (or more usually the DNS servers of your DNS service provider) are required less frequently which means that if something takes them offline for any reason then there would be a decreased impact. It will still stop some people from getting the DNS answers they need, but the proportion unable to get an answer will drop dramatically.



Sep 282016

One of the things that has happened recently was that a commentator on security matters (Brian Krebs) was taken offline by a massive denial of service attack, which (not so) mysteriously happened after he published an article on denial of service attacks. The short version of the story was that his site was hit by a denial of service attack totalling approximately 650Gbps (that’s roughly 6,000 times as much network bandwidth as your typical broadband connection), when his denial of service protection threw their hands up in the air and said: “That’s too much like hard work for a pro-bono service” and gave him 2 hours to move his site.

Google helpfully provided an alternative with Project Shield, and the site was reasonable quickly available again. And to be fair to the original denial of service attack providers (which I’m not naming), this level of attack was sufficient to cause problems to their paying customers and protecting from this level of attack is very expensive.

And indeed paying for denial of service protection is very expensive; the income for the entire lifetime of this blog site would pay for approximately 2 hours of protection. If that.

There are two aspects to this attack, although to be honest neither are particularly new.

The first is technical. Most distributed denial of service attacks are quite simple in nature – you simply ask a question of a dumb “server” with the return address of the site you want to attack. If you send out enough questions to enough dumb “servers” (which can actually be simple workstations or even Internet of Things devices), then you can overwhelm most sites on the Internet.

There are two fixes for this :-

  1. Don’t run dumb and insecure servers.
  2. ISP’s should stop allowing people to forge addresses on network traffic (Ingres Filtering or BCP38).

The second fix is the simplest method, but given how successful the decades long campaign for ISPs to do ingres filtering has been, tackling both ISPs and dumb servers is worthwhile.

As this latest attack may have been chiefly by IoT devices simply sending requests to the victim, the implementation of ingres filtering may not have been of much use in this case, but it is still worthwhile – this attack is not the only one that is happening. Attacks are happening constantly. However, tackling these “dumb servers” that were controlled by the attacker is also a priority, and we need to start seeing concrete action by the ISPs to tackle their customers’ mismanaged networks (home networks in many cases) – aggressive filtering of infected customer networks, and customer notifications that include advice.

Of course ISPs are not going to like doing that just as IoT manufacturers don’t like paying more to make secure appliances. Well, it’s time to name and shame the worst offenders; the bad publicity may help to counteract the lack of incentive to invest in processes that don’t immediately help the bottom line.

The second aspect is rather more serious. We now have an Internet where it is relatively easy to silence anyone who says something you do not like – if you’re rich enough to hire a denial of service gang. Anyone that is who cannot afford protection from such gangs, and there are suspicions that some gangs also provide denial of service protection services.

And this story is not the first time it has happened, and we need to start thinking about mechanisms to keep smaller publishers online when attackers try to censor them. Unless we want all our media controlled by the big players of course.

2016-03-28-swamped bandstand.small

Jul 142016

One of the throw-away statistics I tripped over recently was that there are 5 new malware releases every second.  Now many of those new releases are variations on a theme – there are pieces of software designed to distort a piece of malware into a new piece of malware with the same functionality. This is done deliberately to evade anti-virus software.

And it works. Every so often I feed some strange mail attachments into virustotal to find out how widely it is recognised. It is not uncommon to find that only 2-3 will recognise it as malware out of 50-odd virus checkers on that site. So if you happen to be dumb enough to download and activate the attachment, your anti-virus checker has a roughly 5% chance of protecting you.

Not exactly what you should expect.

I recently sat through a sales pitch for a not-so-new corporate product that does anti-malware protection very differently. Of course it is also insanely expensive, so I will not mention the actual product, but it does offer something new. Protection against malware by checking and blocking behaviour.

Whilst they add all sorts of clever data analysis tricks, fundamentally anti-virus products recognise malware because they recognise the data that makes up the malware. If they don’t recognise the signature of the malware, then they do not know it is malware; so they have an incredibly difficult time recognising new malware releases.

But recognising malware based on behaviour is far more likely to successfully recognise malware – for example by recognising an attempt to make itself persistent in a way that an ordinary application does not do, and blocking it. Which is a far more practicable method of blocking malware (if it works!).

It is also something that should probably be built into operating systems, which to a certain extent already has been.

The New Defence

The New Defence



Jan 312016

Thanks to the Let’s Encrypt project, my blog now has a trusted certificate and traffic to it is encrypted.


Of course there is nothing especially private about this blog, so why encrypt?

Well for one thing, by encrypting those who log in can keep their account details private.

But for the overwhelming majority of visitors (who do not log in) all it adds is a bit of privacy. Snoopers still know that you are visiting a dodgy website lurking underneath my stairs, but they won’t know what lurid posts you are reading.

Nov 042015

The draft #IPBill or more conventionally the draft of the upcoming Investigatory Powers Bill. And some random thoughts on it …

First of all this is not really anything new, as this bill wraps up and modifies existing legislation regarding legal "snooping" in the UK. Whilst it is sensible to pull in multiple existing bills and incorporate the powers in just one place, it makes it a lot harder to see what is new.  There could well be new draconian powers in this draft bill; in fact there probably are, but it is hard to see just what is new.

And there are few people I would rather trust less in drafting such a bill than Theresa May

It is worth noting that the most draconian powers under this bill are not new; in fact once we analyse it properly it may be that there is very little that is really new. 

Oh! And just to state the obvious: Ignore the spin at the beginning; it's the easiest section to read, but may be somewhat deceptive (either deliberately or because it over-simplifies matters).

There are new protections against abuse in this draft bill – specifically the Judicidial Commissioners who will sign off on warrents if they feel they are justified. However how much protection does a current or former High Court judge offer? Well one that co-operates with the government by reflex isn't going to be much help. We need one that is suspicious of government and protective of individual rights.

And there's an escape clause – an "urgent" warrent can be approved without a JC, although it only lasts for five working days rather than six months. Of course the JC gets to approve it (or deny it) after the fact, but this turns this protection into a fig-leaf. And of course the "national security notices" have no oversight before they are issued.

The other thing that occurs to me: What is the difference between a public telecommunications provider and a private telecommunications provider? I dare say that most people won't know when they connect to a network which they're on. And there are different provisions depending on whether the network is public or private – as an example it would be legal for a private telecommunications provider to intercept. 

The purpose behind the #IPBill is supposedly to combat serious crime and to defend the "national interest" in security matters, but some of the provisions allow for economic considerations to be taken into account. So the government plans to sell our communications data to interested parties? Perhaps that's not what they intend, but it doesn't look like there's anything to stop them.

It is interesting to note that local authorities are specifically excluded from certain provisions – they of course are well known for taking previous instruments, and using them for purposes other that what was intended.

MP's have extra protection under this bill, and people are somewhat cynical about the reasons for this – perhaps thinking it's to protect Theresa May's porn browsing habits (Ew! I think I just threw up in my mouth just a bit). Actually, in theory it's not entirely unreasonable when you think of it as a measure to protect the privacy of the MP's constituents who may be discussing privileged information with their MP.

Of course that very quickly dies a death when you look closer at the list of MP's that are protected – all the MP's from the national parliaments, plus MEPs from UK constituents. If you raise a matter with your MEP, she may very well suggest speaking to another MEP – such as the MEP from from somewhere other than the UK if they happen to be the rapporteur (yes Dave, I finally remembered) for a particularly specialised subject area.

There is a fair amount of wordage within the bill dedicated to keeping warrents and retention notices secret – disclose such the existence of such things and you're looking at gaol time. I can see the argument for why such notices should be secret – for a certain duration, but they should be made public eventually so that their use can be judged in the court of public opinion.

Undoubtedly I'll think of additional points to make as I get further into the bill …

Oct 242015

Rusty_PadlockRelated to my rant regarding the TalkTalk hack that I've just posted, is an associated rant about security advice from the media. It's spotty at best, and downright unhelpful or just plain wrong at worst.

I've been stuck indoors today waiting for someone to paint my front door, so amongst various household tasks that I've reluctantly undertaken, I've also had the BBC News 24 channel blaring out. And of course the TalkTalk hacking incident has been making a regular appearance. And on occasions the security advice has been less than stellar; in fact some of it stinks like a rhino's rancid rectum.

It Was A DDoS

(bang) as my head hits the table.

No, the TalkTalk hack had nothing at all to do with a distributed denial of service attack. There may have been a DDoS attack just before the hacking incident, but it was not related (even if it was done by the same people). A DDoS attack is the cyber equivalent of getting all your friends to shout at someone you don't like; it's noisy, stops you communicating, and is as annoying as hell.

But once it is over, things are back to normal (except for writing an incident report). 

Breaking into a server and stealing the personal data of customers is not any kind of denial of service attack. It's an intrusion, and an exfiltration; there are two seperate events there. Labelling either as a "DDoS" just makes you look like an idiot.

Look At The Email Headers

(bang) as my head hits the table.

Email headers can be forged; those headers you see normally ("From", "Subject", "Date", etc.) are nothing more than comments. They are not to be trusted. Even if you reveal the hidden headers (and there's a lot you don't see), the story they show can be mostly forged. It takes a real expert to distinguish between a phishing email and a legitimate email from just the headers.

Even something geeky like PGP digital signatures can be forged if you are dealing with an organisation that has been compromised. And who uses PGP?

Don't trust emails with the name of a compromised organisation on.  

Change Your Passwords As Frequently As Possible

(bang) as my head hits the table.

Changing you password frequently doesn't actually accomplish that much. It is better to keep the same password for a year, if it is long and strong, than it is to change your password every month if it is simple and weak.

Long and strong passwords are tedious to remember – especially for web sites you rarely use. So use a password manager like KeePass. If you want to use a different password manager, seek out a security geek and ask for their recommendations. And the geekier the application site looks, the better; the site should be droning on about 3DES, AES, and all sorts of inscrutable cryptogeek mathematics; you don't have to understand it all, but it's absence on a web site is a bad sign.

Use different passwords on different sites. This is also tedious, and can be relaxed for less important web sites – that is those web sites that don't store more personal information about you than your name. And tedious is a good thing when it saves you from the stress of finding out your bank accounts are empty.

Don't Blame The Victim

It's all very well being sympathetic to those victims who have found their bank accounts emptied, but they are not necessarily related to this latest incident.

And they're not entirely blameless. 

If they hadn't shared information with hackers who already had some of their data, or they had not used the same password for their bank as TalkTalk, then they would not be victims.

And this is hardly new advice.

The media should be sending the message that these victims have been dumb; yes there may be extenuating circumstances, but they have still been dumb. And dumb TalkTalk customers will likely end up with their money and/or identity stolen.

Oct 242015

The reaction to the latest big leak (from TalkTalk) has been interesting … there's a certain amount of sympathy for TalkTalk, with people blaming the cybercriminals and claiming that no system can be made fully secure. There's a nugget of truth in saying something like that, but it's not the whole truth.

Yes, there is a truism within the security world that there is no such thing as a secure computer; or rather that the only secure computer is one that has been turned off, had it's disks thrown into an active volcano, has been entombed within a huge concrete block, and has been buried at the bottom of the Mariana Trench (add as many ways of saying "unreachable" as your audience can stand). But it's a truism, and isn't supposed to be used as a get out of gaol free card by anyone getting their data hacked.

If it is true about the ransom demand (and it's not impossible that the ransom demand came from someone other than the group that hacked TalkTalk), the hackers were probably just after money. In which case they didn't target TalkTalk directly; they probably targetted all of the big ISPs and picked the "low hanging fruit". That translates as the hackers did a vulnerability scan of all the ISPs and found that TalkTalk were the easiest to attack. 

And it is not as if this has not happened before :-

Looks like they keep getting hacked (and these are just the ones that we know about). By selling the details on, the hackers will have already made plenty of money from hacking TalkTalk.

Yes, ultimately the cybercriminals are responsible for hacking TalkTalk and stealing the data, but that does not mean that TalkTalk are not to blame for not taking adequate action to protect themselves against hacking. There is a whisper that this hack was due to an SQL injection attack which isn't some kind of masterclass hacking attack, it's in the hands of script kiddies. And is prima faca evidence that TalkTalk haven't reviewed their code for security vulnerabilities for years

There's calls for the government (it's interesting how the free market fans always cry help to the government every time they encounter a problem) to tackle cybercrime.  But it is also time to give the Information Commissioner the power to fire company executives, and use it against the TalkTalk executives. Simply blaming the cybercriminals lets executives who are asleep at the wheel to get away with their incompetance. 

And perhaps the Institute of Directors should start talking about minimum budgets for IT security.

But more importantly, it is essential that security is deeply embedded throughout every department of IT; it is all too easy to establish security tokenism. Simply appoint someone in charge of security, and then say "No" to any suggestion that requires money or incovenience.


Oct 212015

So there's this new TV series called "CSI: Cyber" (well technically it's new to me and the UK) which is all about an FBI cybercrime unit. 

As it hapens cyber security (if you insist on calling it that) is something I know a bit about. And so this new TV series has two ways of amusing me – the normal entertainment that TV offers, and of course the chance at falling about laughing at the mistakes.

Is it entertaining in the first sense? It's an American cop show with a bit of added "tech", so to some extent it stands out of the American cop show crowd (or perhaps flood). So yes, it's mildly entertaining; nothing worth staying in for, but it will kill an hour that you're too tired to do anything more productive with.

In the second sense I mentioned – yes it's got that in spades.

The most obvious flaw is that everything happens too quickly. Analysing a malicious printer firmware as you plug in the USB disk that contains it? Not going to happen. Finding a zero-day exploit in a collection of IoT devices within an hour? Not going to happen. Hacking a municipal transport network whilst being driven around at furious speed? Well that could happen if you had already done it (they hadn't), but it isn't something you would really try.

Causing a printer to burst into flames with a malicious firmware? I believe the possibility was jokingly mentioned a few years ago when printer firmware became a target for attack amongst the white hat community, but it was also mentioned that it was pretty unlikely as things like thermal cut-out units are isolated and hardwired – you can't turn them off.

Or a malicious exploit causing a laptop battery to burn up; I'm not saying that's impossible, but again battery pack microcontrollers are usually isolated from the computer they power. 

Labelling "zero-day exploits" as something that effects personal devices? Just plain daft, although the rest of the definition was Okay.

Is this a problem? Well, sensible people will realise that this is all just entertainment and will not take it seriously. Indeed it may increase the realisation that criminals with IT skills (and governments) can cause nasty things to happen; even if this show highlights the wrong kind of nasty things. 

Of course the knuckle-dragging neanderthals (with apologies to the real Neanderthals) who watch this show and pay attention (so perhaps there isn't much danger after all) will assume that everything this show demonstrates is for real. And starts panicing anytime someone whips out a copy of metasploit

I imagine I'll be saying: "It's just entertainment" many times over the years.

Sep 122015

According to the latest advice from CESG: "Regular password changing harms rather than improves security, so avoid placing this burden on users."


(Thanks to

Most of the advice given is eminently sensible, and indeed forcing password changes on a frequent basis does more harm than good – when forced to change their passwords every 30 days (yes really!), people will commonly resort to sanity and use passwords of the form: someword-${month} (such as "happy-July"). However the advice to never force password changes was obviously written by someone who is under the belief that staff accounts have a somewhat limited lifetime – people change jobs, etc.

There is still a great deal to be said for changing passwords less frequently – say every couple of years. Or even a random number of days between 730 and 1,095, which will help to randomise calls to the Helpdesk. Amongst other things :-

  1. The concept of a strong password changes over the decades; allowing account passwords to remain the same for the lifetime of a staff account will mean that a considerable number of staff accounts will have weak passwords.
  2. There is such a thing as "accidental shoulder surfing" whereby someone acquires knowledge of part of your password by merely being present when you enter it. Over time they can acquire more and more of your password. 
  3. Only changing an account password when there is a suspicion it has become compromised means that there is no mechanism to lock stealthy intruders out. Whatever kind of anomolous account behaviour detection mechanism you have in place, there is always the chance that a compromised account can remain below the radar; periodic password changes do lock this intruder out.
  4. Less directly, but forcing regular account password changes on an infrequent basis does have the side effect that it allows the education of people that passwords can be compromised.

Of course every security person who read the CESG advice on passwords probably thought "Great. Now who is going to educate the auditors?". 

Facebook Auto Publish Powered By :

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.